Overview
overview
8Static
static
3VegaX.exe
windows7-x64
7VegaX.exe
windows10-2004-x64
8$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3LICENSES.c...m.html
windows7-x64
3LICENSES.c...m.html
windows10-2004-x64
3System.exe
windows7-x64
7System.exe
windows10-2004-x64
8d3dcompiler_47.dll
windows10-2004-x64
1ffmpeg.dll
windows7-x64
1ffmpeg.dll
windows10-2004-x64
1libEGL.dll
windows7-x64
1libEGL.dll
windows10-2004-x64
1libGLESv2.dll
windows7-x64
1libGLESv2.dll
windows10-2004-x64
1resources/...05.dll
windows7-x64
1resources/...05.dll
windows10-2004-x64
1resources/...am.exe
windows7-x64
1resources/...am.exe
windows10-2004-x64
1resources/...ot.exe
windows7-x64
3resources/...ot.exe
windows10-2004-x64
3resources/elevate.exe
windows7-x64
3resources/elevate.exe
windows10-2004-x64
3swiftshade...GL.dll
windows7-x64
1swiftshade...GL.dll
windows10-2004-x64
1swiftshade...v2.dll
windows7-x64
1swiftshade...v2.dll
windows10-2004-x64
1vk_swiftshader.dll
windows7-x64
1vk_swiftshader.dll
windows10-2004-x64
1vulkan-1.dll
windows7-x64
1Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
03/10/2024, 00:20
Static task
static1
Behavioral task
behavioral1
Sample
VegaX.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
VegaX.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
LICENSES.chromium.html
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
LICENSES.chromium.html
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
System.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral10
Sample
System.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
d3dcompiler_47.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral12
Sample
ffmpeg.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral13
Sample
ffmpeg.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral14
Sample
libEGL.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral15
Sample
libEGL.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
libGLESv2.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral17
Sample
libGLESv2.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral18
Sample
resources/app.asar.unpacked/node_modules/take-cam/DirectShowLib-2005.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral19
Sample
resources/app.asar.unpacked/node_modules/take-cam/DirectShowLib-2005.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral20
Sample
resources/app.asar.unpacked/node_modules/take-cam/prey-webcam.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral21
Sample
resources/app.asar.unpacked/node_modules/take-cam/prey-webcam.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral22
Sample
resources/app.asar.unpacked/node_modules/take-cam/snapshot.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral23
Sample
resources/app.asar.unpacked/node_modules/take-cam/snapshot.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral24
Sample
resources/elevate.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral25
Sample
resources/elevate.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral26
Sample
swiftshader/libEGL.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral27
Sample
swiftshader/libEGL.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral28
Sample
swiftshader/libGLESv2.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral29
Sample
swiftshader/libGLESv2.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral30
Sample
vk_swiftshader.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral31
Sample
vk_swiftshader.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral32
Sample
vulkan-1.dll
Resource
win7-20240708-en
windows7-x64
General
-
Target
System.exe
-
Size
139.6MB
-
MD5
a1bd7f9fcdb0b75d30fa9f0caac5d2a7
-
SHA1
5602eb1782cb0de1aba91d3c06589be195c5dee8
-
SHA256
7c878c82ccd577f3dad67fb1fe5e0b681f27ba9a741c79bfd9bbfa032dccde65
-
SHA512
1befc5c99e4832dd5d53759c4ff6e24d9a6059e494573f84d3395c1473690d29ec1534f9fcce20ab54f811a69d4c443f862dc7ddb908c99037637105b58bf85e
-
SSDEEP
786432:d14w5ThzHwQBgmoLWv+K18nCzKdo5DTdvfMQr6SSmPuvh8tSIW68:d14kpHwQjCWv+K18CedmVvEQEpcJW
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
pid Process 2092 System.exe 2092 System.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 ipinfo.io 5 ipinfo.io 6 ipinfo.io -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2876 tasklist.exe 2752 tasklist.exe -
Collects information from the system 1 TTPs 1 IoCs
Uses WMIC.exe to find detailed system information.
pid Process 1744 WMIC.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 1636 WMIC.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2092 System.exe 2092 System.exe 3016 System.exe 2280 powershell.exe 2092 System.exe 2092 System.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2752 tasklist.exe Token: SeIncreaseQuotaPrivilege 2484 WMIC.exe Token: SeSecurityPrivilege 2484 WMIC.exe Token: SeTakeOwnershipPrivilege 2484 WMIC.exe Token: SeLoadDriverPrivilege 2484 WMIC.exe Token: SeSystemProfilePrivilege 2484 WMIC.exe Token: SeSystemtimePrivilege 2484 WMIC.exe Token: SeProfSingleProcessPrivilege 2484 WMIC.exe Token: SeIncBasePriorityPrivilege 2484 WMIC.exe Token: SeCreatePagefilePrivilege 2484 WMIC.exe Token: SeBackupPrivilege 2484 WMIC.exe Token: SeRestorePrivilege 2484 WMIC.exe Token: SeShutdownPrivilege 2484 WMIC.exe Token: SeDebugPrivilege 2484 WMIC.exe Token: SeSystemEnvironmentPrivilege 2484 WMIC.exe Token: SeRemoteShutdownPrivilege 2484 WMIC.exe Token: SeUndockPrivilege 2484 WMIC.exe Token: SeManageVolumePrivilege 2484 WMIC.exe Token: 33 2484 WMIC.exe Token: 34 2484 WMIC.exe Token: 35 2484 WMIC.exe Token: SeIncreaseQuotaPrivilege 2484 WMIC.exe Token: SeSecurityPrivilege 2484 WMIC.exe Token: SeTakeOwnershipPrivilege 2484 WMIC.exe Token: SeLoadDriverPrivilege 2484 WMIC.exe Token: SeSystemProfilePrivilege 2484 WMIC.exe Token: SeSystemtimePrivilege 2484 WMIC.exe Token: SeProfSingleProcessPrivilege 2484 WMIC.exe Token: SeIncBasePriorityPrivilege 2484 WMIC.exe Token: SeCreatePagefilePrivilege 2484 WMIC.exe Token: SeBackupPrivilege 2484 WMIC.exe Token: SeRestorePrivilege 2484 WMIC.exe Token: SeShutdownPrivilege 2484 WMIC.exe Token: SeDebugPrivilege 2484 WMIC.exe Token: SeSystemEnvironmentPrivilege 2484 WMIC.exe Token: SeRemoteShutdownPrivilege 2484 WMIC.exe Token: SeUndockPrivilege 2484 WMIC.exe Token: SeManageVolumePrivilege 2484 WMIC.exe Token: 33 2484 WMIC.exe Token: 34 2484 WMIC.exe Token: 35 2484 WMIC.exe Token: SeDebugPrivilege 2876 tasklist.exe Token: SeShutdownPrivilege 2092 System.exe Token: SeShutdownPrivilege 2092 System.exe Token: SeIncreaseQuotaPrivilege 2800 WMIC.exe Token: SeSecurityPrivilege 2800 WMIC.exe Token: SeTakeOwnershipPrivilege 2800 WMIC.exe Token: SeLoadDriverPrivilege 2800 WMIC.exe Token: SeSystemProfilePrivilege 2800 WMIC.exe Token: SeSystemtimePrivilege 2800 WMIC.exe Token: SeProfSingleProcessPrivilege 2800 WMIC.exe Token: SeIncBasePriorityPrivilege 2800 WMIC.exe Token: SeCreatePagefilePrivilege 2800 WMIC.exe Token: SeBackupPrivilege 2800 WMIC.exe Token: SeRestorePrivilege 2800 WMIC.exe Token: SeShutdownPrivilege 2800 WMIC.exe Token: SeDebugPrivilege 2800 WMIC.exe Token: SeSystemEnvironmentPrivilege 2800 WMIC.exe Token: SeRemoteShutdownPrivilege 2800 WMIC.exe Token: SeUndockPrivilege 2800 WMIC.exe Token: SeManageVolumePrivilege 2800 WMIC.exe Token: 33 2800 WMIC.exe Token: 34 2800 WMIC.exe Token: 35 2800 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2092 wrote to memory of 2052 2092 System.exe 31 PID 2092 wrote to memory of 2052 2092 System.exe 31 PID 2092 wrote to memory of 2052 2092 System.exe 31 PID 2052 wrote to memory of 2752 2052 cmd.exe 33 PID 2052 wrote to memory of 2752 2052 cmd.exe 33 PID 2052 wrote to memory of 2752 2052 cmd.exe 33 PID 2092 wrote to memory of 2760 2092 System.exe 34 PID 2092 wrote to memory of 2760 2092 System.exe 34 PID 2092 wrote to memory of 2760 2092 System.exe 34 PID 2092 wrote to memory of 2760 2092 System.exe 34 PID 2092 wrote to memory of 2760 2092 System.exe 34 PID 2092 wrote to memory of 2760 2092 System.exe 34 PID 2092 wrote to memory of 2760 2092 System.exe 34 PID 2092 wrote to memory of 2760 2092 System.exe 34 PID 2092 wrote to memory of 2760 2092 System.exe 34 PID 2092 wrote to memory of 2760 2092 System.exe 34 PID 2092 wrote to memory of 2760 2092 System.exe 34 PID 2092 wrote to memory of 2760 2092 System.exe 34 PID 2092 wrote to memory of 2760 2092 System.exe 34 PID 2092 wrote to memory of 2760 2092 System.exe 34 PID 2092 wrote to memory of 2760 2092 System.exe 34 PID 2092 wrote to memory of 2760 2092 System.exe 34 PID 2092 wrote to memory of 2760 2092 System.exe 34 PID 2092 wrote to memory of 2760 2092 System.exe 34 PID 2092 wrote to memory of 2760 2092 System.exe 34 PID 2092 wrote to memory of 2760 2092 System.exe 34 PID 2092 wrote to memory of 2760 2092 System.exe 34 PID 2092 wrote to memory of 2760 2092 System.exe 34 PID 2092 wrote to memory of 2760 2092 System.exe 34 PID 2092 wrote to memory of 2760 2092 System.exe 34 PID 2092 wrote to memory of 2760 2092 System.exe 34 PID 2092 wrote to memory of 2760 2092 System.exe 34 PID 2092 wrote to memory of 2760 2092 System.exe 34 PID 2092 wrote to memory of 2760 2092 System.exe 34 PID 2092 wrote to memory of 2760 2092 System.exe 34 PID 2092 wrote to memory of 2760 2092 System.exe 34 PID 2092 wrote to memory of 2760 2092 System.exe 34 PID 2092 wrote to memory of 2760 2092 System.exe 34 PID 2092 wrote to memory of 2760 2092 System.exe 34 PID 2092 wrote to memory of 2760 2092 System.exe 34 PID 2092 wrote to memory of 2760 2092 System.exe 34 PID 2092 wrote to memory of 2760 2092 System.exe 34 PID 2092 wrote to memory of 2760 2092 System.exe 34 PID 2092 wrote to memory of 2760 2092 System.exe 34 PID 2092 wrote to memory of 2760 2092 System.exe 34 PID 2092 wrote to memory of 2760 2092 System.exe 34 PID 2092 wrote to memory of 2760 2092 System.exe 34 PID 2092 wrote to memory of 1312 2092 System.exe 36 PID 2092 wrote to memory of 1312 2092 System.exe 36 PID 2092 wrote to memory of 1312 2092 System.exe 36 PID 1312 wrote to memory of 2484 1312 cmd.exe 38 PID 1312 wrote to memory of 2484 1312 cmd.exe 38 PID 1312 wrote to memory of 2484 1312 cmd.exe 38 PID 2092 wrote to memory of 1420 2092 System.exe 39 PID 2092 wrote to memory of 1420 2092 System.exe 39 PID 2092 wrote to memory of 1420 2092 System.exe 39 PID 2092 wrote to memory of 876 2092 System.exe 40 PID 2092 wrote to memory of 876 2092 System.exe 40 PID 2092 wrote to memory of 876 2092 System.exe 40 PID 1420 wrote to memory of 2876 1420 cmd.exe 43 PID 1420 wrote to memory of 2876 1420 cmd.exe 43 PID 1420 wrote to memory of 2876 1420 cmd.exe 43 PID 876 wrote to memory of 2892 876 cmd.exe 44 PID 876 wrote to memory of 2892 876 cmd.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\System.exe"C:\Users\Admin\AppData\Local\Temp\System.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2752
-
-
-
C:\Users\Admin\AppData\Local\Temp\System.exe"C:\Users\Admin\AppData\Local\Temp\System.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=972 --field-trial-handle=1144,11865548391691777407,9080176110640869300,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵PID:2760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=NaN get ExecutablePath"2⤵
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\System32\Wbem\WMIC.exewmic process where processid=NaN get ExecutablePath3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "net session"2⤵
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\system32\net.exenet session3⤵PID:2892
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session4⤵PID:2372
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get size"2⤵PID:1208
-
C:\Windows\System32\Wbem\WMIC.exewmic logicaldisk get size3⤵
- Collects information from the system
PID:1744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get totalphysicalmemory | more +1"2⤵PID:2672
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2800
-
-
C:\Windows\system32\more.commore +13⤵PID:1232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"2⤵PID:2856
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵PID:1812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "echo %NUMBER_OF_PROCESSORS%"2⤵PID:1452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"2⤵PID:2168
-
C:\Windows\System32\Wbem\WMIC.exewmic OS get caption, osarchitecture3⤵PID:1288
-
-
C:\Windows\system32\more.commore +13⤵PID:1044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"2⤵PID:1804
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name3⤵PID:3012
-
-
C:\Windows\system32\more.commore +13⤵PID:1716
-
-
-
C:\Users\Admin\AppData\Local\Temp\System.exe"C:\Users\Admin\AppData\Local\Temp\System.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=1588 --field-trial-handle=1144,11865548391691777407,9080176110640869300,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3016
-
-
C:\Users\Admin\AppData\Local\Temp\System.exe"C:\Users\Admin\AppData\Local\Temp\System.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1624 --field-trial-handle=1144,11865548391691777407,9080176110640869300,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵PID:2016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"2⤵PID:3048
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController get name3⤵
- Detects videocard installed
PID:1636
-
-
C:\Windows\system32\more.commore +13⤵PID:1004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"2⤵PID:1712
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2280
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD53072b68e3c226aff39e6782d025f25a8
SHA1cf559196d74fa490ac8ce192db222c9f5c5a006a
SHA2567fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01
SHA51261ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61
-
Filesize
643KB
MD5d549d81caf247e8779887b59b5605d67
SHA1a6b04e526da738b6501a6b570cef2146ea516ae6
SHA25667e5b369c0dcafe09077eabc98662d37218b1b081373a6b18ab980b8e3c84bef
SHA512eb3f831a594b9290075be6b5b338a4b13c596c174b8c97b466d3b1eff00386ffdee9e0598a4fa45c3a3de6028bfafa462e8b87e458f79b67646d3f02705438a6